From 6ce3ff70f795351c8a81948639017ccf1b7a0325 Mon Sep 17 00:00:00 2001 From: Zak Rogoff Date: Wed, 18 Jun 2014 11:07:28 -0400 Subject: [PATCH] Revising to tell people to check fingerprints instead of Key IDs --- index.html | 8 +++++--- mac.html | 8 +++++--- static | 2 +- windows.html | 8 +++++--- 4 files changed, 16 insertions(+), 10 deletions(-) diff --git a/index.html b/index.html index 861a68d..90b13ba 100644 --- a/index.html +++ b/index.html @@ -298,8 +298,10 @@

When you sign someone's key, you are publicly saying that you trust that it does belong to them and not an impostor. People who use your public key can see the number of signatures it has. Once you've used GnuPG for a long time, you may have hundreds of signatures. The Web of Trust is the constellation of all GnuPG users, connected to each other by chains of trust expressed through signatures, into a giant Web. The more signatures a key has, and the more signatures its signers' keys have, the more trustworthy that key is.

-

People's public keys are usually identified by their key ID, which is a short string of 8 digits like 92AB3FF7 (for Adele's key). You can see your key ID on the right in OpenPGP → Key Management in your email program's menu.

-

It's good practice to share your key ID, so that so that people can double-check that they have the correct public key when they download yours from a keyserver. You may also see public keys referred to by their key fingerprint, which is a longer string of digits, like DD878C06E8C2BEDDD4A440D3E573346992AB3FF7. The key ID is just the last 8 digits of the fingerprint.

+

People's public keys are usually identified by their key fingerprint, which is a string of digits lik DD878C06E8C2BEDDD4A440D3E573346992AB3FF7 (for Adele's key). You can see the fingerprint for your public key, and other public keys saved on your computer, by going to OpenPGP → Key Management in your email program's menu, then right clicking on the key and choosing Key Properties. It's good practice to share your fingerprint, so that so that people can double-check that they have the correct public key when they download yours from a keyserver.

+ +

You may also see public keys referred to by their key ID, which is simply the last 8 digits of the fingerprint, like 92AB3FF7 for Adele. The key ID is visible directly from the Key Management Window. This key ID is like a person's first name (it is a good shorthand but may not be unique to a given key), whereas the fingerprint actually identifies the key uniquely without the possibility of confusion.

+ @@ -331,7 +333,7 @@

Important: check people's identification before signing their keys

-

Before signing a real person's key, always make sure it actually belongs to them, and they are who they say they are. Answer honestly in the window that pops up and asks "How carefully have you verified that the key you are about to sign actually belongs to the person(s) named above?".

+

Before signing a real person's key, always make sure it actually belongs to them, and they are who they say they are. Ask them to show you their ID (nunless you trust them very highly) and their public key fingerprint -- not just the shorter public key ID, which could refer to another key as well. In Enigmail, answer honestly in the window that pops up and asks "How carefully have you verified that the key you are about to sign actually belongs to the person(s) named above?".

diff --git a/mac.html b/mac.html index e814c6f..f7dd483 100644 --- a/mac.html +++ b/mac.html @@ -305,8 +305,10 @@

When you sign someone's key, you are publicly saying that you trust that it does belong to them and not an impostor. People who use your public key can see the number of signatures it has. Once you've used GnuPG for a long time, you may have hundreds of signatures. The Web of Trust is the constellation of all GnuPG users, connected to each other by chains of trust expressed through signatures, into a giant Web. The more signatures a key has, and the more signatures its signers' keys have, the more trustworthy that key is.

-

People's public keys are usually identified by their key ID, which is a short string of 8 digits like 92AB3FF7 (for Adele's key). You can see your key ID on the right in OpenPGP → Key Management in your email program's menu.

-

It's good practice to share your key ID, so that so that people can double-check that they have the correct public key when they download yours from a keyserver. You may also see public keys referred to by their key fingerprint, which is a longer string of digits, like DD878C06E8C2BEDDD4A440D3E573346992AB3FF7. The key ID is just the last 8 digits of the fingerprint.

+

People's public keys are usually identified by their key fingerprint, which is a string of digits lik DD878C06E8C2BEDDD4A440D3E573346992AB3FF7 (for Adele's key). You can see the fingerprint for your public key, and other public keys saved on your computer, by going to OpenPGP → Key Management in your email program's menu, then right clicking on the key and choosing Key Properties. It's good practice to share your fingerprint, so that so that people can double-check that they have the correct public key when they download yours from a keyserver.

+ +

You may also see public keys referred to by their key ID, which is simply the last 8 digits of the fingerprint, like 92AB3FF7 for Adele. The key ID is visible directly from the Key Management Window. This key ID is like a person's first name (it is a good shorthand but may not be unique to a given key), whereas the fingerprint actually identifies the key uniquely without the possibility of confusion.

+ @@ -338,7 +340,7 @@

Important: check people's identification before signing their keys

-

Before signing a real person's key, always make sure it actually belongs to them, and they are who they say they are. Answer honestly in the window that pops up and asks "How carefully have you verified that the key you are about to sign actually belongs to the person(s) named above?".

+

Before signing a real person's key, always make sure it actually belongs to them, and they are who they say they are. Ask them to show you their ID (nunless you trust them very highly) and their public key fingerprint -- not just the shorter public key ID, which could refer to another key as well. In Enigmail, answer honestly in the window that pops up and asks "How carefully have you verified that the key you are about to sign actually belongs to the person(s) named above?".

diff --git a/static b/static index e69e712..bcf35a0 160000 --- a/static +++ b/static @@ -1 +1 @@ -Subproject commit e69e712d11c753b9bb8a5c383c9f7a8644bde7c1 +Subproject commit bcf35a0d86c7843a58dbeef7cb9e52051891568d diff --git a/windows.html b/windows.html index dc1be5d..b57d9e8 100644 --- a/windows.html +++ b/windows.html @@ -303,8 +303,10 @@

When you sign someone's key, you are publicly saying that you trust that it does belong to them and not an impostor. People who use your public key can see the number of signatures it has. Once you've used GnuPG for a long time, you may have hundreds of signatures. The Web of Trust is the constellation of all GnuPG users, connected to each other by chains of trust expressed through signatures, into a giant Web. The more signatures a key has, and the more signatures its signers' keys have, the more trustworthy that key is.

-

People's public keys are usually identified by their key ID, which is a short string of 8 digits like 92AB3FF7 (for Adele's key). You can see your key ID on the right in OpenPGP → Key Management in your email program's menu.

-

It's good practice to share your key ID, so that so that people can double-check that they have the correct public key when they download yours from a keyserver. You may also see public keys referred to by their key fingerprint, which is a longer string of digits, like DD878C06E8C2BEDDD4A440D3E573346992AB3FF7. The key ID is just the last 8 digits of the fingerprint.

+

People's public keys are usually identified by their key fingerprint, which is a string of digits lik DD878C06E8C2BEDDD4A440D3E573346992AB3FF7 (for Adele's key). You can see the fingerprint for your public key, and other public keys saved on your computer, by going to OpenPGP → Key Management in your email program's menu, then right clicking on the key and choosing Key Properties. It's good practice to share your fingerprint, so that so that people can double-check that they have the correct public key when they download yours from a keyserver.

+ +

You may also see public keys referred to by their key ID, which is simply the last 8 digits of the fingerprint, like 92AB3FF7 for Adele. The key ID is visible directly from the Key Management Window. This key ID is like a person's first name (it is a good shorthand but may not be unique to a given key), whereas the fingerprint actually identifies the key uniquely without the possibility of confusion.

+ @@ -336,7 +338,7 @@

Important: check people's identification before signing their keys

-

Before signing a real person's key, always make sure it actually belongs to them, and they are who they say they are. Answer honestly in the window that pops up and asks "How carefully have you verified that the key you are about to sign actually belongs to the person(s) named above?".

+

Before signing a real person's key, always make sure it actually belongs to them, and they are who they say they are. Ask them to show you their ID (nunless you trust them very highly) and their public key fingerprint -- not just the shorter public key ID, which could refer to another key as well. In Enigmail, answer honestly in the window that pops up and asks "How carefully have you verified that the key you are about to sign actually belongs to the person(s) named above?".

-- 2.25.1